Photo by Adrianna Calvo on

Industry is seeing a high number of phishing emails these days, which resulted in high adoption of DMARC.

DMARC was introduced to combat from header spoofing and depends on SPF and DKIM for decision making. We will talk about spf record here and what is the best practice.

  • You must have a spf record for your HELO/EHLO Domain.
  • You must have a spf record for mail-from domain.
  • For an empty Return-Path as used in error messages and other auto-replies, an SPF check of the HELO identity is mandatory.

Here is the sample spf record of one of the IP/Hostname of facebook, everyone should be followuing this menthod to correctly have spf record for their MTA and it will help them to have spf pass for bounce email as well.

As per RFC, Bounce messages must have spf record for their ehlo/helo domain.


and ehlo/helo domain looks like this in email headers, Also This is configurable on your MTA Servers.

Received: from ( [x.x.x.x by with ESMTPS id z64si6014252qtc.309.2017.
        for <>


Publish spf record like below they way has done :-

  • TXT Record lookup of returned these entries, One of the IP was


  • had rdns of


  • has txt record of v=spf1 a ~all


Either of above option will fix dmarc issue as well and make spf record aligned.

Thank you for reading !